CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
CVE-2015-6855: ide: divide by zero issue (bz #1261793) CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) Make block copy more stable (bz #1264416) Fix hang at start of live merge for large images (bz #1262901)
This commit is contained in:
parent
dedc591ecb
commit
5112d72ec3
@ -0,0 +1,35 @@
|
||||
From: P J P <pjp@fedoraproject.org>
|
||||
Date: Fri, 4 Sep 2015 17:21:06 +0100
|
||||
Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor
|
||||
(CVE-2015-6815)
|
||||
|
||||
While processing transmit descriptors, it could lead to an infinite
|
||||
loop if 'bytes' was to become zero; Add a check to avoid it.
|
||||
|
||||
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
|
||||
descriptor fields to 0.
|
||||
--Stefan]
|
||||
|
||||
Signed-off-by: P J P <pjp@fedoraproject.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
|
||||
(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
|
||||
---
|
||||
hw/net/e1000.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
|
||||
index 0fc29a0..d41955e 100644
|
||||
--- a/hw/net/e1000.c
|
||||
+++ b/hw/net/e1000.c
|
||||
@@ -708,7 +708,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
|
||||
memmove(tp->data, tp->header, tp->hdr_len);
|
||||
tp->size = tp->hdr_len;
|
||||
}
|
||||
- } while (split_size -= bytes);
|
||||
+ split_size -= bytes;
|
||||
+ } while (bytes && split_size);
|
||||
} else if (!tp->tse && tp->cptse) {
|
||||
// context descriptor TSE is not set, while data descriptor TSE is set
|
||||
DBGOUT(TXERR, "TCP segmentation error\n");
|
141
0103-ide-fix-ATAPI-command-permissions.patch
Normal file
141
0103-ide-fix-ATAPI-command-permissions.patch
Normal file
@ -0,0 +1,141 @@
|
||||
From: John Snow <jsnow@redhat.com>
|
||||
Date: Thu, 17 Sep 2015 14:17:05 -0400
|
||||
Subject: [PATCH] ide: fix ATAPI command permissions
|
||||
|
||||
We're a little too lenient with what we'll let an ATAPI drive handle.
|
||||
Clamp down on the IDE command execution table to remove CD_OK permissions
|
||||
from commands that are not and have never been ATAPI commands.
|
||||
|
||||
For ATAPI command validity, please see:
|
||||
- ATA4 Section 6.5 ("PACKET Command feature set")
|
||||
- ATA8/ACS Section 4.3 ("The PACKET feature set")
|
||||
- ACS3 Section 4.3 ("The PACKET feature set")
|
||||
|
||||
ACS3 has a historical command validity table in Table B.4
|
||||
("Historical Command Assignments") that can be referenced to find when
|
||||
a command was introduced, deprecated, obsoleted, etc.
|
||||
|
||||
The only reference for ATAPI command validity is by checking that
|
||||
version's PACKET feature set section.
|
||||
|
||||
ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
|
||||
therefore are assumed to have never been ATAPI commands.
|
||||
|
||||
Mandatory commands, as listed in ATA8-ACS3, are:
|
||||
|
||||
- DEVICE RESET
|
||||
- EXECUTE DEVICE DIAGNOSTIC
|
||||
- IDENTIFY DEVICE
|
||||
- IDENTIFY PACKET DEVICE
|
||||
- NOP
|
||||
- PACKET
|
||||
- READ SECTOR(S)
|
||||
- SET FEATURES
|
||||
|
||||
Optional commands as listed in ATA8-ACS3, are:
|
||||
|
||||
- FLUSH CACHE
|
||||
- READ LOG DMA EXT
|
||||
- READ LOG EXT
|
||||
- WRITE LOG DMA EXT
|
||||
- WRITE LOG EXT
|
||||
|
||||
All other commands are illegal to send to an ATAPI device and should
|
||||
be rejected by the device.
|
||||
|
||||
CD_OK removal justifications:
|
||||
|
||||
0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI.
|
||||
0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4.
|
||||
0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
|
||||
|
||||
This patch fixes a divide by zero fault that can be caused by sending
|
||||
the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
|
||||
attempt to use zeroed CHS values to perform sector arithmetic.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
Reviewed-by: Markus Armbruster <armbru@redhat.com>
|
||||
Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
|
||||
CC: qemu-stable@nongnu.org
|
||||
(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a)
|
||||
---
|
||||
hw/ide/core.c | 30 +++++++++++++++---------------
|
||||
1 file changed, 15 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/hw/ide/core.c b/hw/ide/core.c
|
||||
index 4ac3731..370963a 100644
|
||||
--- a/hw/ide/core.c
|
||||
+++ b/hw/ide/core.c
|
||||
@@ -1668,11 +1668,11 @@ static const struct {
|
||||
} ide_cmd_table[0x100] = {
|
||||
/* NOP not implemented, mandatory for CD */
|
||||
[CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK },
|
||||
- [WIN_DSM] = { cmd_data_set_management, ALL_OK },
|
||||
+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK },
|
||||
[WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK },
|
||||
[WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC},
|
||||
[WIN_READ] = { cmd_read_pio, ALL_OK },
|
||||
- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK },
|
||||
+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK },
|
||||
[WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK },
|
||||
[WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK },
|
||||
[WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
|
||||
@@ -1691,12 +1691,12 @@ static const struct {
|
||||
[CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK },
|
||||
[WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK },
|
||||
[WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC },
|
||||
- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_STANDBY2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_SETIDLE2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC },
|
||||
- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK },
|
||||
+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
|
||||
+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK },
|
||||
[WIN_PACKETCMD] = { cmd_packet, CD_OK },
|
||||
[WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK },
|
||||
[WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC },
|
||||
@@ -1710,19 +1710,19 @@ static const struct {
|
||||
[WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK },
|
||||
[WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK },
|
||||
[CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK },
|
||||
- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK },
|
||||
- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK },
|
||||
- [WIN_STANDBY] = { cmd_nop, ALL_OK },
|
||||
- [WIN_SETIDLE1] = { cmd_nop, ALL_OK },
|
||||
- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC },
|
||||
- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK },
|
||||
+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
|
||||
+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK },
|
||||
[WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK },
|
||||
[WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK },
|
||||
[WIN_IDENTIFY] = { cmd_identify, ALL_OK },
|
||||
[WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC },
|
||||
[IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
|
||||
[CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
|
||||
- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC },
|
||||
+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
|
||||
};
|
||||
|
||||
static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
|
@ -0,0 +1,32 @@
|
||||
From: P J P <pjp@fedoraproject.org>
|
||||
Date: Tue, 15 Sep 2015 16:46:59 +0530
|
||||
Subject: [PATCH] net: avoid infinite loop when receiving
|
||||
packets(CVE-2015-5278)
|
||||
|
||||
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
|
||||
bytes to process network packets. While receiving packets
|
||||
via ne2000_receive() routine, a local 'index' variable
|
||||
could exceed the ring buffer size, leading to an infinite
|
||||
loop situation.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: P J P <pjp@fedoraproject.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
|
||||
---
|
||||
hw/net/ne2000.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
||||
index d558b8c..5cc329e 100644
|
||||
--- a/hw/net/ne2000.c
|
||||
+++ b/hw/net/ne2000.c
|
||||
@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
|
||||
if (index <= s->stop)
|
||||
avail = s->stop - index;
|
||||
else
|
||||
- avail = 0;
|
||||
+ break;
|
||||
len = size;
|
||||
if (len > avail)
|
||||
len = avail;
|
@ -0,0 +1,67 @@
|
||||
From: P J P <pjp@fedoraproject.org>
|
||||
Date: Tue, 15 Sep 2015 16:40:49 +0530
|
||||
Subject: [PATCH] net: add checks to validate ring buffer
|
||||
pointers(CVE-2015-5279)
|
||||
|
||||
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
|
||||
bytes to process network packets. While receiving packets
|
||||
via ne2000_receive() routine, a local 'index' variable
|
||||
could exceed the ring buffer size, which could lead to a
|
||||
memory buffer overflow. Added other checks at initialisation.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: P J P <pjp@fedoraproject.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
|
||||
---
|
||||
hw/net/ne2000.c | 19 +++++++++++++++----
|
||||
1 file changed, 15 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
||||
index 5cc329e..91e9685 100644
|
||||
--- a/hw/net/ne2000.c
|
||||
+++ b/hw/net/ne2000.c
|
||||
@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
|
||||
}
|
||||
|
||||
index = s->curpag << 8;
|
||||
+ if (index >= NE2000_PMEM_END) {
|
||||
+ index = s->start;
|
||||
+ }
|
||||
/* 4 bytes for header */
|
||||
total_len = size + 4;
|
||||
/* address for next packet (4 bytes for CRC) */
|
||||
@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
||||
offset = addr | (page << 4);
|
||||
switch(offset) {
|
||||
case EN0_STARTPG:
|
||||
- s->start = val << 8;
|
||||
+ if (val << 8 <= NE2000_PMEM_END) {
|
||||
+ s->start = val << 8;
|
||||
+ }
|
||||
break;
|
||||
case EN0_STOPPG:
|
||||
- s->stop = val << 8;
|
||||
+ if (val << 8 <= NE2000_PMEM_END) {
|
||||
+ s->stop = val << 8;
|
||||
+ }
|
||||
break;
|
||||
case EN0_BOUNDARY:
|
||||
- s->boundary = val;
|
||||
+ if (val << 8 < NE2000_PMEM_END) {
|
||||
+ s->boundary = val;
|
||||
+ }
|
||||
break;
|
||||
case EN0_IMR:
|
||||
s->imr = val;
|
||||
@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
||||
s->phys[offset - EN1_PHYS] = val;
|
||||
break;
|
||||
case EN1_CURPAG:
|
||||
- s->curpag = val;
|
||||
+ if (val << 8 < NE2000_PMEM_END) {
|
||||
+ s->curpag = val;
|
||||
+ }
|
||||
break;
|
||||
case EN1_MULT ... EN1_MULT + 7:
|
||||
s->mult[offset - EN1_MULT] = val;
|
60
0106-block-mirror-limit-qiov-to-IOV_MAX-elements.patch
Normal file
60
0106-block-mirror-limit-qiov-to-IOV_MAX-elements.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Wed, 1 Jul 2015 15:45:50 +0100
|
||||
Subject: [PATCH] block/mirror: limit qiov to IOV_MAX elements
|
||||
|
||||
If mirror has more free buffers than IOV_MAX, preadv(2)/pwritev(2)
|
||||
EINVAL failures may be encountered.
|
||||
|
||||
It is possible to trigger this by setting granularity to a low value
|
||||
like 8192.
|
||||
|
||||
This patch stops appending chunks once IOV_MAX is reached.
|
||||
|
||||
The spurious EINVAL failure can be reproduced with a qcow2 image file
|
||||
and the following QMP invocation:
|
||||
|
||||
qmp.command('drive-mirror', device='virtio0', target='/tmp/r7.s1',
|
||||
granularity=8192, sync='full', mode='absolute-paths',
|
||||
format='raw')
|
||||
|
||||
While the guest is running dd if=/dev/zero of=/var/tmp/foo oflag=direct
|
||||
bs=4k.
|
||||
|
||||
Cc: Jeff Cody <jcody@redhat.com>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Message-id: 1435761950-26714-1-git-send-email-stefanha@redhat.com
|
||||
Signed-off-by: Jeff Cody <jcody@redhat.com>
|
||||
(cherry picked from commit cae98cb87d269c33d23b2bccd79bb8d99a60d811)
|
||||
---
|
||||
block/mirror.c | 4 ++++
|
||||
trace-events | 1 +
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/block/mirror.c b/block/mirror.c
|
||||
index c7a655f..b03973c 100644
|
||||
--- a/block/mirror.c
|
||||
+++ b/block/mirror.c
|
||||
@@ -237,6 +237,10 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s)
|
||||
trace_mirror_break_buf_busy(s, nb_chunks, s->in_flight);
|
||||
break;
|
||||
}
|
||||
+ if (IOV_MAX < nb_chunks + added_chunks) {
|
||||
+ trace_mirror_break_iov_max(s, nb_chunks, added_chunks);
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
/* We have enough free space to copy these sectors. */
|
||||
bitmap_set(s->in_flight_bitmap, next_chunk, added_chunks);
|
||||
diff --git a/trace-events b/trace-events
|
||||
index 11a17a8..d035631 100644
|
||||
--- a/trace-events
|
||||
+++ b/trace-events
|
||||
@@ -89,6 +89,7 @@ mirror_yield(void *s, int64_t cnt, int buf_free_count, int in_flight) "s %p dirt
|
||||
mirror_yield_in_flight(void *s, int64_t sector_num, int in_flight) "s %p sector_num %"PRId64" in_flight %d"
|
||||
mirror_yield_buf_busy(void *s, int nb_chunks, int in_flight) "s %p requested chunks %d in_flight %d"
|
||||
mirror_break_buf_busy(void *s, int nb_chunks, int in_flight) "s %p requested chunks %d in_flight %d"
|
||||
+mirror_break_iov_max(void *s, int nb_chunks, int added_chunks) "s %p requested chunks %d added_chunks %d"
|
||||
|
||||
# block/backup.c
|
||||
backup_do_cow_enter(void *job, int64_t start, int64_t sector_num, int nb_sectors) "job %p start %"PRId64" sector_num %"PRId64" nb_sectors %d"
|
@ -0,0 +1,57 @@
|
||||
From: Fam Zheng <famz@redhat.com>
|
||||
Date: Wed, 13 May 2015 11:11:13 +0800
|
||||
Subject: [PATCH] block/mirror: Sleep periodically during bitmap scanning
|
||||
|
||||
Before, we only yield after initializing dirty bitmap, where the QMP
|
||||
command would return. That may take very long, and guest IO will be
|
||||
blocked.
|
||||
|
||||
Add sleep points like the later mirror iterations.
|
||||
|
||||
Signed-off-by: Fam Zheng <famz@redhat.com>
|
||||
Reviewed-by: Wen Congyang <wency@cn.fujitsu.com>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-id: 1431486673-19280-1-git-send-email-famz@redhat.com
|
||||
Signed-off-by: Jeff Cody <jcody@redhat.com>
|
||||
(cherry picked from commit 4c0cbd6fec7db182a6deb52d5a8a8e7b0c5cbe64)
|
||||
---
|
||||
block/mirror.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/block/mirror.c b/block/mirror.c
|
||||
index b03973c..b56ba66 100644
|
||||
--- a/block/mirror.c
|
||||
+++ b/block/mirror.c
|
||||
@@ -375,11 +375,23 @@ static void coroutine_fn mirror_run(void *opaque)
|
||||
sectors_per_chunk = s->granularity >> BDRV_SECTOR_BITS;
|
||||
mirror_free_init(s);
|
||||
|
||||
+ last_pause_ns = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
|
||||
if (!s->is_none_mode) {
|
||||
/* First part, loop on the sectors and initialize the dirty bitmap. */
|
||||
BlockDriverState *base = s->base;
|
||||
for (sector_num = 0; sector_num < end; ) {
|
||||
int64_t next = (sector_num | (sectors_per_chunk - 1)) + 1;
|
||||
+ int64_t now = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
|
||||
+
|
||||
+ if (now - last_pause_ns > SLICE_TIME) {
|
||||
+ last_pause_ns = now;
|
||||
+ block_job_sleep_ns(&s->common, QEMU_CLOCK_REALTIME, 0);
|
||||
+ }
|
||||
+
|
||||
+ if (block_job_is_cancelled(&s->common)) {
|
||||
+ goto immediate_exit;
|
||||
+ }
|
||||
+
|
||||
ret = bdrv_is_allocated_above(bs, base,
|
||||
sector_num, next - sector_num, &n);
|
||||
|
||||
@@ -398,7 +410,6 @@ static void coroutine_fn mirror_run(void *opaque)
|
||||
}
|
||||
|
||||
bdrv_dirty_iter_init(bs, s->dirty_bitmap, &s->hbi);
|
||||
- last_pause_ns = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
|
||||
for (;;) {
|
||||
uint64_t delay_ns = 0;
|
||||
int64_t cnt;
|
36
qemu.spec
36
qemu.spec
@ -152,7 +152,7 @@
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.1.3
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
@ -260,6 +260,19 @@ Patch0036: 0036-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.patch
|
||||
# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface
|
||||
# (bz #1255899)
|
||||
Patch0101: 0101-vnc-fix-memory-corruption-CVE-2015-5225.patch
|
||||
# CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
|
||||
Patch0102: 0102-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch
|
||||
# CVE-2015-6855: ide: divide by zero issue (bz #1261793)
|
||||
Patch0103: 0103-ide-fix-ATAPI-command-permissions.patch
|
||||
# CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284)
|
||||
Patch0104: 0104-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch
|
||||
# CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz
|
||||
# #1263287)
|
||||
Patch0105: 0105-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch
|
||||
# Make block copy more stable (bz #1264416)
|
||||
Patch0106: 0106-block-mirror-limit-qiov-to-IOV_MAX-elements.patch
|
||||
# Fix hang at start of live merge for large images (bz #1262901)
|
||||
Patch0107: 0107-block-mirror-Sleep-periodically-during-bitmap-scanni.patch
|
||||
|
||||
BuildRequires: SDL2-devel
|
||||
BuildRequires: zlib-devel
|
||||
@ -854,6 +867,19 @@ CAC emulation development files.
|
||||
# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface
|
||||
# (bz #1255899)
|
||||
%patch0101 -p1
|
||||
# CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
|
||||
%patch0102 -p1
|
||||
# CVE-2015-6855: ide: divide by zero issue (bz #1261793)
|
||||
%patch0103 -p1
|
||||
# CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284)
|
||||
%patch0104 -p1
|
||||
# CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz
|
||||
# #1263287)
|
||||
%patch0105 -p1
|
||||
# Make block copy more stable (bz #1264416)
|
||||
%patch0106 -p1
|
||||
# Fix hang at start of live merge for large images (bz #1262901)
|
||||
%patch0107 -p1
|
||||
|
||||
|
||||
%build
|
||||
@ -1634,6 +1660,14 @@ getent passwd qemu >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Sep 21 2015 Cole Robinson <crobinso@redhat.com> - 2:2.1.3-11
|
||||
- CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
|
||||
- CVE-2015-6855: ide: divide by zero issue (bz #1261793)
|
||||
- CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284)
|
||||
- CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287)
|
||||
- Make block copy more stable (bz #1264416)
|
||||
- Fix hang at start of live merge for large images (bz #1262901)
|
||||
|
||||
* Mon Aug 31 2015 Cole Robinson <crobinso@redhat.com> - 2:2.1.3-10
|
||||
- CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface (bz
|
||||
#1255899)
|
||||
|
Loading…
Reference in New Issue
Block a user